This policy was last updated on September 20, 2023.
The following summary provides highlights of our policy, but please read further below to review our full policy.
INFORMATION WE COLLECT
We collect various types of information about you, including:
- Information you provide to us;
- Information we collect about your use of our websites, mobile application, and other online services; and
- Information we obtain from third parties, such as those providing services to us to improve your customer experience.
We also may collect information in ways that we describe to you at the time we collect it or via other means, with your consent.
USE OF INFORMATION
We use the information we collect about our customers for the following business purposes:
- To communicate with you regarding our products, offers, promotions;
- To facilitate business transactions such as the purchase of food from our restaurants;
- To deliver targeted advertising, including offers and promotions;
- To learn more about our customers in order to improve our customers’ experience with EPL; and
- To manage online and other services your request from EPL
We may also use information we collect about you for other business purposes when you consent or otherwise request that we do so.
COOKIES AND ONLINE ADVERTISING
DISCLOSURE OF INFORMATION
We may disclose to or share the personal information we collect about you to the following parties:
- Business partners and service providers, including those that provides advertising or social media services;
- Companies and entities affiliated with EPL;
- Franchisees of EPL; and
- Other parties when required or permitted by applicable law, such as to protect our consumers and their data, or to facilitate a transaction such as the purchase of food
Although EPL cannot guarantee security of our online services or information transmitted over the Internet, we have put in place certain procedures to safeguard your personal information when it is in our control. Please see the full policy below for more information regarding data security.
YOUR DATA PRIVACY RIGHTS
Your personal information is important. Please see below for information regarding EPL’s websites and online services, links to third-party sites, your privacy rights under California law, and children’s privacy.
Please note that if you are a California resident you may have additional rights as set forth in the California Privacy Notice below.
COLLECTON OF PERSONAL INFORMATION
We collect personal information about customers and users of our Services in a variety of ways. We may collect information you provide to us, information we collect through your use of the Services, and information we collect from our third-party business partners and from publicly available sources.
Information You Provide to Us
We collect personal information from you when you voluntarily use or engage with the Services, such as providing general comments, making purchases of food or gift cards in one of our restaurants, online, or through our mobile application, registering for sweepstakes or contests, participating in our loyalty programs, and content submissions. For example, you may submit your name, postal address, e-mail address, IP address, phone number, gender, and/or birthdate in order to receive information about various subjects, register for or participate in programs, contact customer service, make purchases, or respond to surveys.
In order to process a financial transaction you request, such as the purchase of food or gift cards in a restaurant, through our mobile app, or online, we [Our Third-Party processor] may collect credit card information such as your credit card number, security code, the card’s expiration date, and a signature. When you enter one of our restaurants, we may collect information through our security cameras.
INFORMATION COLLECTED AUTOMATICALLY
The personal information we collect through cookies and tracking technologies may include your Internet Protocol (IP) address, computer/mobile device operating system and browser type, type of mobile device, the unique device identifier (UDID) or mobile equipment identifier (MEID) for your mobile device, the address of a referring web site (if any), and the pages you visit on our Services. We may use this personal information to operate, maintain, and manage our Services and to provide services such as technical support. In addition, we may collect certain personal information using various tracking technologies, Internet tags, and web beacons such as number of visitors/users of the Online Services, but only in an aggregate and non-personally identifiable form.
For each user of EPL’s Services, EPL’s Web server automatically recognizes and stores computer-readable personal information such as the visitor’s IP address and domain name combination. This is typically anonymous information automatically provided by your computer. We use this personal information to follow visitor traffic patterns through the Services to improve user experience.
INFORMATION COLLECTED THROUGH YOUR USE OF THE SERVICES
When you use the Services, such as EPL’s website or mobile application (the “App”) and related content, we may collect information about your use of these Services. The information automatically collected may include:
Usage Details. Certain details of your access to and use of the App, including traffic data, location data, logs and other communication data and the resources that you access and use on or through the App.
Device Information. Information about your mobile device and internet connection, including the device’s unique device identifier, IP address, operating system, browser type, mobile network information and the device’s telephone number.
Stored Information and Files. Metadata and other information associated with other files stored on your device. This may include, for example, photographs, audio and video clips, personal contacts and address book information.
Geolocation: Our App and mobile versions of our website may collect precise personal information about the location of your mobile device using location awareness technologies such as GPS, Wi-Fi, Bluetooth or cell tower proximity if you have consented to such tracking.
Depending on the permission settings of your personal mobile device(s) and the permission settings you choose for EPL’s mobile application, when using the App we may also collect or have access to your:
- Camera. If you enable this functionality, the App may access the camera to scan and input payment method details.
- Wi-Fi connection information. If you enable this functionality, this may allow the App to view Wi-Fi connections.
- Other. Depending on the transactions or services you choose, the App will send and receive data to and from the Internet, enable network access, control vibration of your device, or prevent your device from sleeping.
By adjusting the permissions either in your mobile device settings or your settings for the App, you may enable or disable location tracking. Please note, however, that even if you disable location services, other means of establishing or estimating location may exist and be used (such as connecting to WiFI, your device’s proximity to a WiFi network, Bluetooth technology, beacons, or our networks). Note also that if you enable location tracking, you may allow the App to track your location in the background, which can decrease battery life.
EPL may combine the personal information you provide through the Services with personal information we may collect off-line from you or from third parties.
INFORMATION COLLECTED BY OR THROUGH THIRD PARTIES
We may work with certain third parties who use one or more automated information collection technologies to collect information about you or your mobile or computing device. These third parties may include:
- Advertisers, ad networks and ad servers.
- Analytics companies.
- Your mobile device manufacturer.
- Your mobile service provider.
We or these third parties may use tracking technologies to collect information about you when you use the App. The information collected may be associated with your personal information or may include information, including personal information, about your online activities over time and across different websites, apps, and other online services websites.
DO-NOT-TRACK AND OTHER CHOICES WITH RESPECT TO ONLINE ADVERTISING
If your Internet browser employs blocking or “Do Not Track” technology that limits recognition or the collection of such computer-readable personal information, EPL will not alter or bypass such technology. EPL does not provide access to third parties to track your personal information through your use of the Services, but EPL may allow third parties to access certain personal information you provide as described in the Use and Disclosure of Your Personal Information Section below. For websites, you may opt-out of certain tracking, however, by disabling cookies through your browser or by visiting the opt-outs provided by the Network Advertising Initiative, Digital Advertising Alliance, and Google.
For more information regarding managing the privacy of your information with respect to online advertising, and to learn how to opt-out of having your information collected by these networks, please visit: http://www.youradchoices.com, http://www.aboutads.info/appchoices, http://www.networkadvertising.org, or https://www.networkadvertising.org/mobile-choice. To opt out in mobile apps, please download the Digital Advertising Alliance’s AppChoices tool at http://www.aboutads.info/appchoices and adjust the advertising preferences on your mobile device. Please note that we are not responsible for the opt out process of third parties.
USE OF YOUR PERSONAL INFORMATION
More specifically, EPL may use the personal information we collect about you for the following purposes:
- To facilitate your use of the Services;
- To improve your user experience with the Services;
- To conduct or facilitate business transactions, such as processing payment information for food or gift card purchases;
- To enable and facilitate participation in our gift card, mobile app, loyalty and other program;
- To communicate with you about our restaurants and the Services, including through interest-based (behavioral) and other targeted advertising and content;
- To respond to your requests, comments, questions, or feedback;
- To register you for accounts on the Services, such as EPL’s loyalty program;
- To provide you with marketing communications, such as promotions or offers, new product information, and information about our restaurants
- To register you for SMS, email and/or mailing lists for marketing communications;
- To provide location-based services;
- To perform analyses of the various features and functionality of the Services for our marketing purposes;
- To analyze and understand your and other consumers’ interaction with EPL and the Services, including your demographic information, EPL-related behavior and your preferences and interests, so that we may improve our products and the Services to delight our customers;
- To enable “Share With a Friend” or related services. (Note that unless and only where it is permitted by law, we do not use the contact information you provide for “Share With a Friend” functionality for other unrelated purposes without your consent or that of the recipient, if and as applicable.);
- To prevent, identify, investigate, or take action concerning suspected or actual illegal activity, or any activity that violates our policies, either in restaurant or online; or
- For any other purpose, with your consent where appropriate.
With respect to location information in particular, EPL uses this personal information for location-based services that you request, such as locating nearby EPL restaurants, identifying special offers that may be of interest to you, or personalizing your interactions with EPL. For most mobile devices, you can withdraw your permission for EPL to acquire location information through the device settings. If you have questions about how to disable your mobile device’s location services, we recommend you contact your mobile device service provider or the device manufacturer. If you would like us to delete location personal information we have collected, please contact us at the email or postal address listed below. Please note that the applications may not function properly following deletion, and that we may be required by law to retain certain personal information.
See the chart below for more information about how we use personal information we collect about you.
DISCLOSURE OF YOUR PERSONAL INFORMATION
In order to fulfill the purposes described above, we may disclose your personal information to third parties as set forth below:
- To our vendors and service providers who provide services or perform functions on our behalf, (including but not limited to, Punchh Loyalty, Heartland Payment Systems, IBM Marketing Cloud, Google Analytics, Facebook, Oracle Data Cloud, Place IQ, BlueLithium, Quantcast, Rocket Fuel, and Envysion) who are bound by obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them. This includes providing personal information to social media companies which you connect with the Services and other third parties who provide content, advertising, or other functionality related to the Services.
- To third parties with your consent.
- To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of EPL’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by EPL’s services’ users is among the assets transferred.
- To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
- If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of EPL, our customers, or others. This includes exchanging personal information with other companies and organizations for the purposes of fraud protection and credit risk reduction.
- We may also publicly post on our Services certain user-generated content you submit to us.
We may also disclose aggregated personal information about our users, and personal information that does not identify any individual.
EPL fully encourages all parents to supervise their children’s on-line activities and regularly monitor their children’s use of the Internet, including use of EPL’s Services. Parents should consider using parental control tools and other services to assist them in supervising their children’s on-line use or on-line disclosure of their name, address or other personal information without parental consent.
THIRD-PARTY INFORMATION & MOBILE APPLICATION COLLECTION, ANALYSIS AND TRACKING
CORRECTING, ACCESSNG, & DELETING YOUR INFORMATION
You can change or review your personal information by logging into your account on the applications provided through the Services and visiting your account profile page. We cannot delete your personal information except by also deleting your user account. We provide you with the ability to access, rectify, port and erase your data. We store data until such data is no longer necessary to provide our Services or until your account is deleted, whichever comes first. We may not accommodate a request to change information if we believe the change would violate any or legal requirement or cause the information to be incorrect. Regarding information about children, see above re Children Under the Age of 13.
NOTICE TO CALIFORNIA CONSUMERS
This Notice to California Consumers contains the disclosures required under the California Consumer Privacy Act (“CCPA”). For individuals who are California residents, the CCPA requires certain disclosures about the categories of personal information we collect and how we use it, the categories of sources from whom we collect personal information, and the third parties with whom we share it.
California residents may request a list of certain third parties to which we have disclosed personally identifiable information about you for their own direct marketing purposes. You may make a personal information request twice in a 12-month period, so that EPL can collect information from the requesting party so that it can verify your identity, and that EPL will respond within 45 days of receiving a personal information request.
You have the following rights under the CCPA:
- Right to know about personal information collected, disclosed or sold
California residents have the right to request that we disclose what categories of personal information that we collect, use, disclose or sell about you. You may also request the specific pieces of personal information that we have collected about you. You may only make two such requests in a 12-month period, and the information provided need only cover the 12-month period prior to your request.
- Right to request deletion of your personal information
You may also request that we delete any personal information that we have collected from you, provided that we may retain personal information as authorized under the CCPA, including, but not limited to, retaining personal information necessary to provide our Services, detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, debug to identify and repair errors that impair our Site and Services, to enable solely internal uses that are reasonably aligned with your expectations based on the your relationship with us, comply with a legal obligation, or otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which your provided it. If you are a California resident, you may exercise your rights under the CCPA and submit your requests in one of the following methods: (a) by submitting this online form; (b) by calling the following toll free number 877-EPL-4YOU (877-375-4968). You may also receive information about how to submit a request by visiting one of our restaurants.
NOTE: we do not sell your personal information as that term is defined in the CCPA or under Nevada Law (Section Chapter 603A of the Nevada Revised Statutes). We may provide your personal information to service providers that perform services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of EPL. Such service providers are prohibited retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services for us.
In order to submit a request, we will need to verify your identity. If you have an account with us that is password-protected, we may verify your identity through our existing authentication practices for your account. We may request two or more data points of personal information and other proof of identification depending on the nature of the request and the personal information requested to verify your identity.
Please note that following your verified request, we will send you your personal information from the following email address: IRM Notification <email@example.com>. (Any response to your request, including any personal information may be sent as an encrypted file).
We will process and respond to your request within 45 days (in some cases, as is allowed under the CCPA, this process may be extended by an additional 45-90 days).
Please note that once you have submitted a request, we will send you a receipt, acknowledging your request, within 10 days. If, for some reason, you do not receive such a receipt within 10 days of your submitted request, please send us an email to firstname.lastname@example.org as an error may have occurred.
As a California resident, you also have the right to designate an agent to exercise these rights on your behalf. We may require proof that you have designated the authorized agent to act on your behalf and to verify your identity directly with us. Please contact us at email@example.com for more information if you wish to submit a request through an authorized agent.
We hereby inform you that if you exercise any of your rights under the CCPA, we may not deny you goods or services for that reason, or subject you to different prices than those paid by other consumers, unless provided otherwise under the CCPA, Federal, or State law.
Notice of Information We Collect
Pursuant to California Civil Section 1798.100(b), this serves as notice of the categories of personal information that we collect through the Site and at our locations and the commercial purposes for which we collected that information. All of the categories of personal information we collect about you (as detailed below) come from the following categories of sources:
- You, including through your use of our Site and Services and on behalf of any students that you enroll for our Services
- Automatically collected from you
- Our affiliate companies and franchisees
- Third parties
In particular, we have collected the following categories of personal information from California consumers within the last twelve (12) months for the following purposes:
Limited to name, email, and ip address, for loyalty, email campaigns, and online ordering systems
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
Limited to name, phone number, address, credit card number, and signature, which may be used for online order processing purposes
C. Protected classification characteristics under California or federal law.
Limited to age and gender which may be used by our loyalty and offers platform
D. Commercial information.
Limited to your El Pollo Loco purchase history
E. Biometric information.
F. Internet or other similar network activity.
Limited to interactions with the El Pollo Loco website or iOS/Android APPS
G. Geolocation data.
Our App and mobile versions of our website and some 3rd parties such as Facebook may use Geolocation data for advertising and curbside pickup order fulfillment purposes. For any data collected by third party sites, related PII and geolocation history is not stored or shared with El Pollo Loco. With respect to El Pollo Loco’s app and website, any geolocation data used for order fulfillment is not stored or retained by El Pollo Loco.
H. Sensory data.
Limited to video and audio in restaurant through our security camera systems. Used to assure physical safety and security in our restaurants. Not used for identification or linking to consumer activity.
I. Professional or employment-related information.
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).
K. Inferences drawn from other Personal Information.
Limited to ordering preferences for marketing purposes. Some 3rd parties such as Facebook may be evaluating other preferences or characteristics.
NOTICE OF DISCLOSURES OF PERSONAL INFORMATION FOR A BUSINESS PURPOSE
In the past 12 months we have disclosed the following categories of personal information listed in Section A through K above for one or more business purposes. Such disclosures have been made to service providers and other recipients as listed in the Section entitled “DISCLOSURE OF YOUR PERSONAL INFORMATION.” In addition, please note that user generated content may be disclosed to other users of our website and Services.
The definition of “business purpose” is as follows:
- Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with laws and other standards;
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity;
- Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business;
- Debugging to identify and repair errors that impair existing intended functionality;
- Short-term, transient use, provided the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction;
- Undertaking internal research for technological development and demonstration; and
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the company, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
EPL takes great pride and care in maintaining the safety and security of your personal information and in preventing its unauthorized access by employing appropriate technology and internal procedures. When we transmit sensitive personal information through our Services, we protect it by encryption, such as Secure Socket Layer (SSL) protocol. However, EPL does not guarantee that unauthorized access is completely preventable in every circumstance, as no method of electronically storing or transmitting data is completely secure. It is highly recommended that you monitor your credit card activity and use of your personal information on a regular basis.
The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we strive to protect your personal information, we cannot guarantee the security of your personal information transmitted via our Services. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained in the Services.
REVOCATIONS OF POLICY AND QUESTIONS